Is it possible to use agent forwarding excluding all keys from being forwarded, except ones specifically stated? Alternatively, are there any ways to specify the order the keys are tried per session?
Using ssh-agent requires managing different sockets: https://superuser.com/questions/357602/use-a-specified-key-from-ssh-agent/401737#comment396923_358604
Are there any alternative agents that are more easily configurable?
For example:
Client A --> ssh/agent-forwarding --> Server B --> Server C
|
------> Server D
I want to allow only one key in agent forwarding, allowing: A -> B -> C, and not A -> B -> D. Or at least specify the order the keys are tried.
(Edited for clarity after @jeff-ferland answer.)
Best Answer
I'm not aware of any agents that allow for the selective forwarding of keys as you've diagramed. Once a key is forwarded to a host, it's as if it were locally stored and can be used to authenticate against any host from there.
Looking at your question on another level, I have two ideas about what you might be trying to do:
If this is your goal, you cannot achieve it through control of authentication keys. You must control access through architecture and host restrictions such that no host which can be accessed remotely is capable of accessing a "safe" host.
If this is your goal, it's a misunderstanding of how to protect keys. Keys themselves are never forwarded. The ability to access the ssh agent to authenticate against a key is forwarded. However, that forwarding can only be taken advantage of while the forwarding is in place and only if the machine you've forwarded your agent to is run by an untrustworthy admin (voluntarily or through compromise). Thus in your diagram, unless you successfully log from machine B -> D and export forwarding from A -> B -> D, you are not at risk of exposing your credentials. You can forward from A -> B safely if you trust B.
I suggest you read a very verbose explanation of how forwarding works with diagrams if you're still unclear about the concept.